Re: [fw-wiz] Query on OS hardening
From: Volker Tanger (volker.tanger@discon.de)
Date: 02/20/03
- Previous message: John Adams: "Re: [fw-wiz] Query on OS hardening"
- In reply to: Carson Gaspar: "Re: [fw-wiz] Query on OS hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Volker Tanger <volker.tanger@discon.de> To: firewall-wizards@honor.icsalabs.com Date: Thu, 20 Feb 2003 13:54:17 +0100
Greetings!
Carson Gaspar wrote:
>
> <volker.tanger@discon.de> wrote:
>
>> Quite easy: SSH with distributed keys plus some simple shell scripting.
>> Main advantage is that you won't need to install anything (fancy) on
>> the system in question.
>
> Ah yes... and how much CPU do you have to spare for SSH session setup
> (on both the systemn being monitored and your monitoring server)? And
> how often do you want to collect the data?
On one of the instances I am running the check interval varies 1-5
minutes depending on service, averaging at a bit less than 3 minutes.
Overall load on the management server (P2/400 with 128MB) is 0.1
(uptime) with >100 service checks via SSH. CPU idle (vmstat) averages at 92%
So, yes you are right, you'll have to have an eye on your ressources.
But as long as the central server is basically idling and your checked
machines do the same, I see no problems here.
I tried to run a compromise in older version of ASLCceck where multiple
checks were done within in one single SSH session. But with too much
idle CPU power to burn in *my* setup I decided to split checks and have
a separate SSH session for each single check.
Main advantages:
- flexibility
- no (additional) software needed (at all) on the
machines checked
Main disadvantage:
- high(er) CPU and network load on server and client
So as long as you know what you're doing...
;-)
So thanks for explicitly pointing to that problem - and for this reason
fowarded to FWTOOLS, too.
Bye
Volker Tanger
IT-Security Consulting
-- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3461 volker.tanger@discon.de http://www.discon.de/ _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Loomis, Rip: "RE: [fw-wiz] DNS UDP packets > 512 bytes"
- Previous message: John Adams: "Re: [fw-wiz] Query on OS hardening"
- In reply to: Carson Gaspar: "Re: [fw-wiz] Query on OS hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
